Hi Guys I've deployed Graylog to use for a syslog solution. Currently using Sidecar to do the collections of winlogs only.
Been running a week and started loading some more hosts ... Then Pooooooof, graylog fell over. Initially I was clueless as to whats going on. After a bit of digging, I found the dreaded elasticsearch error which seems to be quite common ( bytes can be at most 32766 in length) I have found a few articles where people say update the analyser, some others that mention setting index to not_analyzed or Index No. Another post mentioned to set ignore_above => 256. Thing is ... I have no clue where to even try setting these things ? Can anybody shed some light please? I have managed to find the actual message that is too large on the originating server which is causing the failure. Turns out to be a HP WBEM Dump Event (Id 1001). If anyone knows how I can prevent this from happening, or define some sort of "exclude" for this message that would be a great help. Perhaps, I could instruct sidecar collector to ignore this message ? Is that possible ? Would any know? PS - I have tried this with Graylog 2.1 and just tried with 2.2 as well. Both doing the same thing... Appreciate your help guys :) Thanks Paul. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/efbdfc18-f1e1-4084-be9a-0297da880de6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.